The NFL has had a tough week. The Ray Rice stuff I mentioned last week. And uber-running-back Adrian Peterson deactivated on Sunday, due to a child abuse indictment. The stories are terrible, especially given that NFL players are explosive athletes and trained in violence. No kid or spouse has a chance in the face of an angry NFL player. And no, I’m not going to anywhere near Floyd Mayweather on this topic.

Peterson’s excuse was that he was just disciplining his 4 year old, just as he was disciplined as a child. With a switch, which is evidently a thin tree branch. Of course we are hearing about switches and abusers because these high-profile athletes make millions a year. They are human. They make mistakes, regardless of their bankrolls. And like everyone else (including you and m), they are defined by their experiences. I’m not making excuses – what they have done is not really excusable.

But the real point isn’t about suspending or pushing Adrian Peterson, Ray Rice, Greg Hardy, or Ray McDonald out of the league. It is about trying to figure out how to break the cycle. Many of these people grew up in abusive environments. That is all they know, and they think it is the way to get results. Peterson’s public statement indicates he has worked with a counselor to learn other techniques for disciplining children. That’s good to hear. It doesn’t heal the scars on his son’s legs or psyche, but it’s a start.

No one teaches you how to be a parent. There is no curriculum. There are no training courses, besides child CPR and maybe changing a diaper. You figure things out. You do what you think is right. If you don’t like how you grew up, maybe you decide to do things differently. Or maybe you do the same because that’s all you know.

Abuse of any kind is terrible and exacts a toll over generations. Yes, we should punish those responsible, but we also need to address the root causes if we want to change anything. That requires education and support for parents at risk of abuse. Given the prevalence of online education and training, there is a better way to do this, and the Internet is a part of the answer. At some point someone will figure it out, and we’ll all be better for it.

Until then you can only feel bad for the people (especially kids) on the other end of the switch.


Photo credit: “Little 500 Wreck 2005” originally uploaded by Lambda Chi Alpha Fraternity

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers

Incite 4 U

  1. Living to fight another day: Given the inevitability of breaches, as a security professional you will come into contact with PR/media spin doctors at some point. Probably sooner rather than later. They may be external folks with fancy cards which say crisis communications, but odds are they don’t know much more than you about dealing with a security breach. Kellie Cummings has a great primer of things to remember, highlighting issues like slow response, lack of candor, missing transparency, mismanaged expectations, and imprecise statements that undermine trust… and trust is critical for crisis communications. So don’t be afraid to share your opinion when you know the spinsters are screwing up. Not to be melodramatic, but your job might depend on it. – MR
  2. Radicals: Most people, if presented with a plate of common food additives would not willing put any of them in their mouths. You might even think you were being poisoned. But invisibly embedded in food, you have no idea any nasty stuff is there, and you consume willingly. Browsers are the same way – if you looked closely at how many ways a browser can scrape user, machine, and session data you would be appalled. Likely you would ban these things from your firm. But personal data silently and invisibly exploited by marketing and analytics firms gets a pass, and since we cannot detect attackers leveraging them nobody is willing to rock the boat. Enterprise IT folks spend tons on anti-fraud, malware, and phishing detection products – and millions more to control BYOD – but on browser security settings and plug-ins? Not so much. Which is why I was shocked to see a group of librarians taking browser security more seriously than your average enterprise. Librarians FTW! – AL
  3. Remember Tyson: I am constantly reminded of a truth from Mike Tyson: “Everyone has a plan ‘til they get punched in the mouth.” That is absolutely true, but you still need the plan. Accuvant’s James Christiansen summarizes a recent Dark Reading Radio interview he conducted about the changing role of the CISO and how it impacts planning. He mentions that the CISO is now a “strategic business manager”, interacting frequently with the board and auditors. The second question I typically get from CISOs is how to present value to senior management and the board, so I have to concur. (The first question is usually about finding and retaining talent.) I don’t listen to podcasts or radio interviews because I read faster than they talk (especially James), but given where James has been, it is probably worth your time to check out the interview as well. – MR
  4. Don’t make me come in there: Did PayPal really take out a full page ad poking Apple over the iCloud breach? Evidently so. Obviously that shot across Apple’s bow is a (rather lame) attempt to link iCloud security failures to the just-announced Apple Pay security. And this just a few months after PayPal’s failure with Two-Factor auth bypass and eBay’s own password breach? Wow. Talk about throwing stones inside a glass house. None of this will sway someone to use PayPal or not to use Apple Pay. It all comes back to convenience, so if Apple Pay is easy and available where folks shop, they will use it. On the plus side, we get to witness two big companies acting like children fighting over a toy: “I had it first!” – AL
  5. Embrace Chaos: The Netflix blog offers a very cool view into how they think about chaos. That is their approach to testing cloud infrastructure, by trying to break it in an automated fashion – a discipline they now call “chaos engineering”. That would be a good job title. “Mom, I just got a job as a chaos engineer!” Not sure dear old Mom would be telling that story in the mahjong room, but I digress. Netflix has released a bunch of open source tools to get folks experimenting with chaos, and now they are educating people about their philosophy as well. Good stuff – especially making chaos into a programmatic effort that scales with the size of the infrastructure and company. Using words like ‘virtuous’ and chaos in the same sentence feels like an oxymoron, but it works when they talk about pushing for resilience at scale. Overall it is a very interesting approach, and one which will supplement traditional testing over time – especially as more and more business comes through online channels and downtime is ever more no bueno. – MR